I've been working on a tool intended to aid in the testing of web applications for input validation/output encoding vulnerabilities (that allow XSS). This being my first attempt at development I've gotten to a point where some additional programtic assistance would help my progress exponentially.

Right now the tool is a .Net windows forms GUI that you can use to inject various attack vectors with. It just combines a lot of the different vectors and encoding options on RSnake's Cheat Sheet. Right now it's totally manual and can only create stand-alone HTTP requests. I would like to add proxy functionality so that the tool can be used more easily during testing (especially for persistent XSS). I would also like to add automation eventually as well.

Anyway, if there are any skilled developers out there that think they can contribute, drop me a line and we can talk more about it. I plan on releasing this as an open source tool eventually. Credit will be given where due obviously.

I was planning to build a firefox extension for this, could be cool 'cause u can use it in combination with Tor. But i already found such extension: https://addons.mozilla.org/firefox/3899/

But, i'm not satified with this "hackbar"
it has less options, and no pre build XSS vectors in it.

Anyone interested in build a "better" one together? would be great to combine the XSS knowledge you guys have into an extension.
i have already experience with building a firefox extension,
so that would be no problem.

Jungsonn, honestly, I'd rather have this as a stand alone tool than something built into Firefox for one simple reason - I need it for more than Firefox. I do lots of testing in Internet Explorer, Netscape and Opera too. I'd rather have a standalone proxy that works with any modern browser than a completely integrated tool that only works in one browser. Not to say I wouldn't use something like a Firefox version of Jake's tool, but if I had to have one or the other, I'd much rather have Burp Proxy + HTMangle built together.

Personally i'd like a xss testing tool to be able to be able to do some smart guesses about how it should `escape' the tags and stuff, so basically it should check where the strings submitted to the page end up, and see wether they're in text, attributes, javascript or anything else and construct the attack vector accordingly. Of course you'd need html parsing for this, and yes, you want to mimic the browsers behaviour, so it won't be perfect, but at least it'll be a good guess.

Those feedback loops are interesting. I know more than one company is working on that concept. It's just really really difficult to know how one input parameter affects another. Especially when you may be talking about hundreds of variants on a single page. The logic gets really complex really fast. Take Hong's onmouseover XSS fragmentation attack against Microsoft. Eesh! Show me the program that can find that!

vandread Wrote:
-------------------------------------------------------
> Personally i'd like a xss testing tool to be able
> to be able to do some smart guesses about how it
> should `escape' the tags and stuff, so basically
> it should check where the strings submitted to the
> page end up, and see wether they're in text,
> attributes, javascript or anything else and
> construct the attack vector accordingly. Of course
> you'd need html parsing for this, and yes, you
> want to mimic the browsers behaviour, so it won't
> be perfect, but at least it'll be a good guess.

I agree. One that tries to cause an error and analyzes the results, then tries to close in on the error based on what is escaped, etc, etc. It would spider the site and identify forms and php variables and try to inject them each individually. Would take a few minutes probably to run and then output all detected xss holes with working strings as well as any that caused errors but it was unable to get to xss.

I don't use .Net but I know that it allows for Visual Basic 6 events using some procedural call, and I'm currently writing an obfuscation and deobfuscation module in Visual Studio for character and IP Address encoding (based off of rsnake's XSS cheat sheet, but coded by hand) that might aide you in your work if that's what you're going to add to your project. So far I've written an assortment of error-proof functions allowing for conversions from ASCII to Decimal, HTML entities, Hexidecimal HTML entities, obfuscated URL form, and back (a little more than available on the XSS cheat sheet), but no Base64 as I haven't quite read up on the algorithm, and refuse to use anything but code I've personally written. It also allows for IPs to be converted from and to Decimal form, but not currently using DWORD only because I didn't place it on the Form. Should I?